Apache HttpD Web Server - Hardening and other Security Considerations

Overview
Date
Location
Agenda
October 15-17, 2018
Las Vegas, Nevada, Hard Rock Hotel
Php, Apache and OpenSSL Vulnerabilities

Security Hardening – Apache
Web
How to by: Andrew Carr

Who am I, and why should you listen to what I have to
say?
• Andrew Carr – andrew.carr@roguewave.com
• I.T. Field since 1996
• Apache Web Server since 1998
• Software Development
• OSS Advocate, contributor
• Nerd

Agenda
• Vagrant
• VirtualBox
• Setting up instance
• Installing Apache2 for
testing
• Accessing Virtual
Machines
• OpenSSL
• Apache Web Server
• Common Locations
for Configuration
• PHP
• Apache Hardening
• Php Security
• Q/A and Help

vagrant

The Vagrant Website
• Vagrantup.com

What is Vagrant?
• A quick solution
– Spin up instances as fast as they can download
• Multiple solutions provided
– Easily search for any kind of environment you need

How to
• Download and install vagrant
– Vagrant is available for Windows, Centos, Linux, etc…
• After downloading installing is simple
– Run the MSI package, install from the command line,
or use a package manager
• You need a hypervisor
– A number of hypervisors are available for free, for
many different platforms.

VirtualBox

What is a hypervisor?
• A hypervisor is a process that separates a computer's operating system
and applications from the underlying physical hardware. Usually done as
software although embedded hypervisors can be created for things like
mobile devices.
• Linux KVM – Linux Opensource H-v
• ESXi – Windows closed source H-v
• Xen – GPL2 H-v – Oracle, Cisco (Windows, Linux, etc…)
• Oracle Virtual Box – OVF Imports
(Open Virtualization Format)
OSS

Virtual Box
• https://www.virtualbox.org
• Multiplatform OSS
– Windows
– OSX
– Linux
– Solaris

Setting Up An Instance

Putting it all together
• Download VirtualBox from virtualbox.org
• Download Vagrant from vagrantup.com
• Determine what images you would like to run while files are downloading.
• Install VirtualBox.
• Install Vagrant.
• Open a command prompt / terminal and run “vagrant init <image-name>”
• Run image with “vagrant up”

Searching for Vagrant Images
• https://app.vagrantup.com/boxes/search
• Search for any distribution of operating system.
• Test these locally.

Vagrant File
• https://www.vagrantup.com/docs/vagrantfile/
• Describe a machine in a file for easy deployment
• Below is an example that will loop three times defining a node instance
each time.

QUESTIONS?
Andrew.carr@roguewave.com

Setting up Apache Web

Linux Installation
• Installing Apache is simple
– Using linux package manager
• ‘yum install httpd’
• ‘apt-get install apache2’
– Adding php with package manager
• ‘yum install php’
• ‘apt-get install php*’
– Windows
• Download binaries from Apache Haus
• Build using Cygwin

Other Options
• Building from the source
– You can obtain the apache web server source code from the Apache
website.
– To build in linux you simply use build tools
– On Windows use Cygwin
• Benefits of building from the source
– Native build
– Native libraries
– Fine control over features

Setting up Apache for Testing
• Login to an instance
– ‘vagrant ssh’
– Forward the ports required to connect to your instance. (See Vbox
Example)

Implementation
• Here we will setup Apache on an instance.

OPENSSL

OpenSSL
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols
• Provides encyrption tools
• Allows Apache / Other web servers to encrypt traffic
• Provides a lot of other tools

OpenSSL
• Between 1998 and 2010 - 0.9.1 – 0.9.8
• Current version, released 1.1.0, releaased 2016
• Companies currently run production with 0.9.8, 7-12
years old

OpenSSL - CLI
• ‘openssl version’
• ‘openssl version –a’
• ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information)
• ‘openssl speed’ (Benchmark Tool)

Heartbleed
• Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security
protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of
memory contents from the server to the client and from the client to the server.
• "Without using any privileged information or credentials we were able steal from
ourselves the secret keys used for our X.509 certificates, user names and passwords,
instant messages, emails and business critical documents and communication.”
• Affects
– OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
– OpenSSL 1.0.1g is NOT vulnerable
– OpenSSL 1.0.0 branch is NOT vulnerable
– OpenSSL 0.9.8 branch is NOT vulnerable
• Mitigation
– 1.0.1g or newer should be used.
– -DOPENSSL_NO_HEARTBEATS.

Heartbleed in the Community
• Venafi Scan – 1 year later (2015)
– Of Forbes global 2000, 1642 have not done anything to remidiate
• What should they do?
– Upgrade SSL
– Create new keys
– Reissue certs

OpenSSL - DOS
• CVE-2017-3733
• What is DOS?
• Affected versions include 0.9.8 – 1.1.0 (not 1.0.2)
• Mitigation
– Upgrade SSL – 1.1.0e
– Use OpenSSL 1.0.2
• 0.9.8 EOL – Dec 2015 (DO NOT USE)

OpenSSL – How to avoid vulnerability
• Stay current - https://www.openssl.org/news/
• CVEs - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openssl
• OpenUpdate from Roguewave
• Ensure your OpenSSL is up-2-date

OpenSSL Vulnerabilities
• DROWN
– A serious vulnerability that affects HTTPS and other services that rely on
SSL and TLS, some of the essential cryptographic protocols for Internet
security. These protocols allow everyone on the Internet to browse the
web, use email, shop online, and send instant messages without third-
parties being able to read the communication.
• HEARTBLEED
– M-I-T-M Attack
• DOS Vulnerabilities
• Other M-I-T-M
– Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c,
1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are
advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and
1.0.1o are advised to immediately upgrade to 1.0.1p.

OpenSSL Installation
• OpenSSL is preinstalled on a lot of operating systems.
• Building is simple
– Get the source
– Configure
– Compile
– Install
– Reference new SSL when building other products

Apache Web Server

Apache Web Server
• A community webserver with prolific implementation
• Current versions
– 2.4.29
– 2.2.34 (FINAL)
• 2.2 was EOL’d June 2017 with security updates to December 2017
• Appx 68 million public instances of Apache Web in use (builtwith.com)
– More than 70% use vulnerable versions

Apache Vulnerabilities
• 0-day – What is it?
• 2.2 Vulnerabilities
– OptionsBleed – CVE-2017-9798
• Ignore the htaccess file
– Unitialized Memory Reflection – CVE-2017-9788
• Affects 2.2.0 – 2.2.32 (fixed in .34)
• Reveals confidential information
– Authentication Bypass – CVE-2017-3167

CVE

Apache 2.2 Additional Vulnerabilities
• important: Uninitialized memory reflection in
mod_auth_digest (CVE-2017-9788)
• important: ap_get_basic_auth_pw() Authentication
Bypass (CVE-2017-3167)
• important: mod_ssl Null Pointer Dereference (CVE-
2017-3169)
• important: ap_find_token() Buffer Overread (CVE-
2017-7668)
• important: mod_mime Buffer Overread (CVE-2017-
7679)
• important: Apache HTTP Request Parsing
Whitespace Defects (CVE-2016-8743)
• n/a: HTTP_PROXY environment variable "httpoxy"
mitigation (CVE-2016-5387)
• low: HTTP request smuggling attack against
chunked request parser (CVE-2015-3183)
• important: mod_cgid denial of service (CVE-2014-
0231)
• low: HTTP Trailers processing bypass (CVE-2013-
5704)
• moderate: mod_deflate denial of service (CVE-
2014-0118)
• moderate: mod_status buffer overflow (CVE-2014-
0226)
• low: mod_log_config crash (CVE-2014-0098)
• moderate: mod_dav crash (CVE-2013-6438)
• low: mod_rewrite log escape filtering (CVE-2013-
1862)
• moderate: mod_dav crash (CVE-2013-1896)
• low: XSS due to unescaped hostnames (CVE-2012-
3499)
• moderate: XSS in mod_proxy_balancer (CVE-2012-
4558)
• low: XSS in mod_negotiation when untrusted
uploads are supported (CVE-2012-2687)
• Note: This issue is also known as CVE-2008-0455.
• low: insecure LD_LIBRARY_PATH handling (CVE-
2012-0883)
• low: mod_proxy_ajp remote DoS (CVE-2012-4557)
• low: mod_setenvif .htaccess privilege escalation
(CVE-2011-3607)
• low: mod_log_config crash (CVE-2012-0021)
• low: scoreboard parent DoS (CVE-2012-0031)
• moderate: mod_proxy reverse proxy exposure
(CVE-2011-4317)
• moderate: error responses can expose cookies
(CVE-2012-0053)
• low: mod_deflate DoS (CVE-2009-1891)
• low: AllowOverride Options handling bypass
(CVE-2009-1195)
• low: CRLF injection in mod_negotiation when
untrusted uploads are supported (CVE-2008-
0456)
• moderate: APR-util off-by-one overflow (CVE-
2009-1956)
• moderate: APR-util XML DoS (CVE-2009-
1955)
• moderate: APR-util heap underwrite (CVE-
2009-0023)
• important: Timeout detection flaw
(mod_proxy_http) (CVE-2010-2791)
• low: mod_proxy_ftp globbing XSS (CVE-2008-
2939)
• low: mod_proxy_balancer CSRF (CVE-2007-
6420)
• moderate: mod_proxy_http DoS (CVE-2008-
2364)
• low: mod_proxy_ftp UTF-7 XSS (CVE-2008-
0005)
• low: mod_proxy_balancer DoS (CVE-2007-
6422)
• low: mod_proxy_balancer XSS (CVE-2007-
6421)
• moderate: mod_status XSS (CVE-2007-6388)
• moderate: mod_imagemap XSS (CVE-2007-
5000)
• moderate: mod_proxy crash (CVE-2007-3847)
• moderate: mod_status cross-site scripting
(CVE-2006-5752)
• moderate: Signals to arbitrary processes
(CVE-2007-3304)
• moderate: mod_cache information leak (CVE-
2007-1862)
• moderate: mod_cache proxy DoS (CVE-2007-
1863)
• important: mod_rewrite off-by-one error (CVE-
2006-3747)
• low: mod_ssl access control DoS (CVE-2005-
3357)
• moderate: mod_imap Referer Cross-Site
Scripting (CVE-2005-3352)
• moderate: mod_proxy_ajp remote DoS
(CVE-2011-3348)
• important: Range header remote DoS
(CVE-2011-3192)
• Advisory: CVE-2011-3192.txt
• moderate: apr_fnmatch flaw leads to
mod_autoindex remote DoS (CVE-2011-
0419)
• low: expat DoS (CVE-2009-3720)
• low: expat DoS (CVE-2009-3560)
• low: apr_bridage_split_line DoS (CVE-
2010-1623)
• important: Timeout detection flaw
(mod_proxy_http) (CVE-2010-2068)
http://www.apache.org/dist/httpd/patches
/apply_to_2.2.15/CVE-2010-2068-
r953616.patch
http://www.apache.org/dist/httpd/patches/ap
ply_to_2.3.5/CVE-2010-2068-r953418.patch
http://www.apache.org/dist/httpd/binaries/wi
n32/mod_proxy_http-CVE-2010-2068.zip
• low: mod_cache and mod_dav DoS
(CVE-2010-1452)
• important: mod_isapi module unload
flaw (CVE-2010-0425)
• low: Subrequest handling of request
headers (mod_headers) (CVE-2010-
0434)
• moderate: mod_proxy_ajp DoS (CVE-
2010-0408)
• low: mod_proxy_ftp DoS (CVE-2009-
3094)
low: mod_proxy_ftp FTP command injection
(CVE-2009-3095)
• moderate: Solaris pollset DoS (CVE-
2009-2699)
• low: APR apr_palloc heap overflow
(CVE-2009-2412)
• important: mod_proxy reverse proxy
DoS (CVE-2009-1890)
• important: mod_proxy_ajp information
disclosure (CVE-2009-1191)

Apache - Upgrading
• UPGRADE TO 2.4
– Not that complicated
– Most setups that run 2.2 will run 2.4
• http://httpd.apache.org/docs/2.4/upgrading.html
• 2.2 configuration
– Order deny,allow Deny from al
– TO-> Require all denied
• 2.2 configuration:
– Order allow,deny Allow from all
– TO-> Require all granted

Config Locations

View some common configuration
elements
• Linux / Unix / Solaris env.
– /ETC is your friend!
– Httpd.conf / apache2.conf
– “Include Directories”
• Windows Installation
– Normally in program files.

What should you change / add?
• Systemctl / Some Windows Domain Settings
• OOM Settings
• Server output
• Firewall
• Directory Listings / Files
• Mod Security?
• Other Settings – Google
• CGI Execution

PHP

PHP 5 – 7
• PHP is in use everywhere
• PHP 5 has over 500 vulnerabilites (Mitre.org)
• Upgrade to PHP 7
– Lots of information on migration
– http://php.net/manual/en/migration70.php
• If you have to use 5, harden it

Hardening Apache

Sysctl
• Accept_source_route = 0
– 4 / 6
– All / Default
• Ignore Redirects
• Martians
• Block Syn Attacks
• Ignore ICMP
• ICMP Redirect
– (Don’t forget sysctl.d/10-network-security.conf)
A Martian packet is an IP packet seen on the public internet that contains a source or destination address that is reserved for special-use by Internet Assigned Numbers
Authority(IANA). On the public Internet, such a packet’s source address is either spoofed, and it cannot actually originate as claimed, or the packet cannot be delivered.[1]
Martian packets commonly arise from IP address spoofing in denial-of-service attacks,[2] but can also arise from network equipment malfunction or misconfiguration of a host.[1]
In Linux terminology, a martian packet is an IP packet received by the kernel on a specific interface, while routing tables indicate that the source IP is expected on another interface.
The name is derived from packet from Mars, meaning that packet seems to be not of this earth.[3]

Kernel Panic
• vm.panic_on_oom = 1
• Forces Reboot
• Prevents some root kits / overruns
• THINK OF THE IMPLICATIONS!

Deny Hosts
• Deny hosts blocks multiple attempts to authenticate.
2017-02-10 18:23:37,811 - denyhosts : INFO restricted: set([]) 2017-02-10
18:23:37,812 - AllowedHosts: WARNING Couldn't load warned hosts from
/var/lib/denyhosts/allowed-warned-hosts 2017-02-10 18:23:37,812 - denyhosts : INFO
launching DenyHosts daemon (version 2.10)... 2017-02-10 18:23:37,813 - denyhosts :
INFO DenyHost daemon is now running, pid: 25774 2017-02-10 18:23:37,813 -
denyhosts : INFO send daemon process a TERM signal to terminate cleanly 2017-02-
10 18:23:37,813 - denyhosts : INFO eg. kill -TERM 25774 2017-02-10 18:23:37,814 -
denyhosts : INFO monitoring log: /var/log/auth.log 2017-02-10 18:23:37,814 -
denyhosts : INFO sync_time: 3600 2017-02-10 18:23:37,814 - denyhosts : INFO
purging of /etc/hosts.deny is disabled 2017-02-10 18:23:37,814 - denyhosts : INFO
denyhost synchronization disabled

Server Version Hiding
• Server Signature - The ServerSignature directive allows the configuration
of a trailing footer line under server-generated documents …
– OFF
• Server Tokens - This directive controls whether Server response header
field which is sent back to clients includes a description of the generic OS-
type of the server as well as information about compiled-in modules …
• PROD

Firewalls
• Hardware Devices
• Iptables
• FirewallD
• Other

Directory Listings
• Add options –indexes
– Indexes - If a URL which maps to a directory is requested and there
is no DirectoryIndex (e.g., index.html) in that directory,
then mod_autoindex will return a formatted listing of the directory.
• Example:

Mod Security -
https://www.modsecurity.org/download.html
• Open Source Firewall for applications
• Easy to install
– Ubuntu
• sudo apt-get install
libapache2-mod-security
• sudo a2enmod mod-security
– Rhel / Centos / Fedora
• sudo yum install
mod_security
• Don’t forget to restart Apache when
making changes to the configuration
Always consider the implications !!!

Mod Evasive
• mod_evasive is a module for Apache that provides evasive action in the
event of an HTTP Distributed Denial of Service (DDoS/DoS) attack or
brute force attack.
– It is also designed to be a detection and network management tool,
and can be easily configured to talk to ipchains, firewalls, routers,
and more. mod_evasive presently reports abuse via email and syslog
facilities.
– https://www.linode.com/docs/web-servers/apache-tips-and-
tricks/modevasive-on-apache/
• Think of implications, always.
– Thorough testing.

Apache 2 Hardening
• The web is your friend!!!
• https://geekflare.com/10-best-practices-to-
secure-and-harden-your-apache-web-server/

Hardening Apache 2 - Recap
• Secure your underlying system.
• ServerSignature - turn off
• Turn off directory listings using options
• Check for unused modules in your web server configuration
• Check user / group privileges
• Use allow and deny for all directories
• Mod_security / Mod_evasive
• Disable Symlinks (-followsymlinks)
• Turn off SSI (Server Side Includes)

PHP Security

Php 5.5.9 Exploit – Moadmin
Mongo Admin tool
• Allows execution of code
• Not PHP’s fault
• Large negative impact

Hardening PHP
• Prevent fOpen wrappers
– Allow_url_fopen
• Limit process time / input time
– Max_input_time
– Max_execution_time
• Limit script memory
– Memory_limit
• Turn Register Globals off
– Register_globals

Hardening PHP - Cont
• Don’t expose PHP in response
– Expose_php
• Only use redirect
– Cgi.force_redirect
• Impose input restrictions
– Post_max_size
– Max_input_vars
• Do not display error information
– Display_errors=0
– Display_startup_errors

Hardening PHP - Cont
• Log errors
– Log_errors
– Error_log
• Restrict File Access
– Open_basedir
• File Uploads
– File_uploads
– Upload_max_filesize
• Session Security
• Cookie Security

Building PHP 7
How to build PHP 7
• sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel
libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel
aspell-devel recode-devel autoconf bison re2c libicu-develsudo mkdir /usr/local/php7git clone
https://github.com/php/php-src.gitcd php-srcgit checkout PHP-7.0.2./buildconf --force./configure
--prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan-
dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter -
-enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir --
with-png-dir --enable-intl --enable-mbstring --with-mcrypt --enable-mysqlnd --with-
mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd
--with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache --
with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader --enable-xmlwriter
--enable-zip --with-zlibmake -j2Make installsudo mkdir /usr/local/php7/etc/conf.dsudo cp -v
./php.ini-production /usr/local/php7/lib/php.inisudo cp -v ./sapi/fpm/www.conf
/usr/local/php7/etc/php-fpm.d/www.confsudo cp -v ./sapi/fpm/php-fpm.conf
/usr/local/php7/etc/php-fpm.conf#Or Debug##sudo vi /usr/local/php7/etc/conf.d/modules.ini##
OPcache#zend_extension=opcache.sosudo vi /usr/local/php7/etc/php-fpm.d/www.confuser =
centosgroup = centos listen = /var/run/php-fpm.sock listen.owner = apachelisten.group =
apachesudo ln -s /usr/local/php7/sbin/php-fpm /usr/sbin/php-fpm#. /usr/lib/systemd/system/php-
fpm.service[Unit]Description=The PHP FastCGI Process ManagerAfter=syslog.target
network.target[Service]Type=simplePIDFile=/run/php-fpm/php-fpm.pidExecStart=/usr/sbin/php-
fpm --nodaemonize --fpm-config /usr/local/php7/etc/php-fpm.confExecReload=/bin/kill -USR2
$MAINPID[Install]WantedBy=multi-user.target sudo mkdir /run/php-fpmchkconfig --levels
235 php-fpm onsystemctl start php-fpm#Put in test.php<?php phpinfo(); ?>

Building PHP 7
How To Build
• Get the source
• Get the dependencies
• Grab additional files for anything you want to enable
• ./configure –help is your friend
• Ask Roguewave experts

Questions…?

Apache HttpD Web Server - Hardening and other Security Considerations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Apache HttpD Web Server - Hardening and other Security Considerations

Similar to Apache HttpD Web Server - Hardening and other Security Considerations (20)

Recently uploaded

Recently uploaded (20)

Apache HttpD Web Server - Hardening and other Security Considerations

Editor's Notes